June 28, 2018 will be a watershed day in the history of U.S. data privacy legislation. California has become the first state to move away from the U.S. approach of legislating data privacy in slow bits. Yesterday, both houses of the legislature passed – and Governor Brown signed into law – the California Consumer Privacy Act of 2018.
Earlier we wrote about the effort to pass the California Privacy Ballot Initiative No. 17-0039 (the “Ballot Initiative”) that would be put forth on the November 6th, 2018 ballot. The Ballot Initiative would give consumers broad rights regarding their personal information, including being able to learn who their personal information is being disclosed or sold to, preventing businesses from discriminating against consumers who exercise their rights under the act including opting out of the sale of their personal information. Further, the Ballot Initiative would have given a private right of action to consumers to sue businesses where the business experienced a security breach and failed to implement reasonable security procedures, with statutory damages of $1,000, which would increase to $3,000 for willful violations.
As a sort of compromise, Senator Bob Hertzberg (D-Van Nuys) and Assemblymember Ed Chau (D-Monterey Park), resurrected a revised version of a bill introduced in 2017 that provides many similar elements to the Ballot Initiative, which will also be authored by Senator Bill Dodd (D-Napa), although in most cases in a less aggressive form. The provisions of the California Consumer Privacy Act become operative only if the Ballot Initiative is withdrawn from the ballot. It is expected to be withdrawn today, but stay tuned on that point.
Assuming the Ballot Initiative is withdrawn, the California Consumer Privacy Act of 2018 (“CCPA”) will become effective on January 1, 2020. The delayed effective date was planned to give the legislature the ability to provide sorely needed correction and clarification to the hastily drafted (and often confusing) text before it goes into effect.
The consumer rights embedded in the CCPA will look familiar to those who have been dealing with the GDPR. It represents a major development in U.S. privacy law, and although it only applies to California residents, it will have ripple effects in the other 49 states and companies should be developing compliance plans.
Below is an overview of important portions of the proposed legislation.
- Expansion of “Personal Information” (PI):
- The CCPA expands the scope of “Personal Information” beyond the GDPR – and certainly well beyond any U.S. privacy law. It defines “Personal Information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably [be] linked, directly or indirectly, with a particular consumer or household.” There a new laundry list of items to be considered PI, including IP addresses, persistent or probabilistic identifiers that can be used to identify a particular consumer or device, records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies; Internet or other electronic network activity information, professional or employment-related information; or any consumer profile.
- Consumer’s Right to Request Disclosure:
- A consumer, defined as a “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations,” and would apply to such “consumers” even if identified only by unique identifier. Under the CCPA, consumers have a right to request that businesses disclose the categories and specific pieces of PI that it collects about the consumer, the categories of sources from which that PI is collected, the business purposes for collecting or selling the PI, and the categories of third parties with which the information is shared — all at or before the point of collection of the PI.
- However, consumers do not have the right to request the names of the actual entities to which the PI was transferred.
- The CCPA requires a business to make disclosures about the information and the purposes for which it is used.
- Consumer’s Right to Request Deletion:
- The CCPA grants a consumer the right to request deletion of personal information and would also require businesses to have service providers delete the information.
- It also provides for many exceptions including where the collected personal information is:
- Necessary to provide a good or service requested by the consumer or reasonably anticipated due to relationship with the consumer.
- Detecting security incidents or fraud, as well as debugging existing intended systems.
- Enabling internal uses that are aligned with consumer expectations based on the relationship.
- Complying with legal obligations.
- These exceptions could be construed to be fairly broad in nature, particularly as they related to detecting fraud, and debugging systems.
- Consumer’s Right of Access and Data Portability
- Consumers may request access to the PI held by the business, and to obtain it in a “readily usable format” that allows porting the data over to another entity “without hindrance.” Upon verification of consumer identity, the business must respond, however, businesses are not required to retain information that is obtained in a one-time transaction or to re-identify or link information that is not in identifiable form. It remains to be seen whether this applies to pseudonymized data.
- Consumers may make this request to a business no more than twice in a calendar year.
- Consumer’s Right to be Forgotten:
- A consumer has the right to request that a business delete any PI collected from the consumer, subject to certain exceptions. Businesses are required to notify customers of this right to request deletion.
- Non-Discrimination/Opt Out Right:
- Opt Out: The CCPA authorizes a consumer to opt out of the sale of personal information by a business. Businesses must make available, in a form reasonably accessible to consumers, a “clear and conspicuous link to the homepage”, titled “Do Not Sell My Personal Information.” That link must go to a webpage that enables the consumer to opt out. The business must wait a minimum of 12 months before requesting to sell the PI of a consumer who has opted out.
- Non-Discrimination: Business are prohibited from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data. Financial incentives offered to the consumer for the collection, sale, or deletion of PI are permitted only with the prior opt-in by the consumer.
- Between 16 and 13 must opt in: The CCPA prohibits a business from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt in. Consumers under the age of 13 would still be subject to the federal Children’s Online Privacy Protection Act.
- Enforcement:
- Attorney General: The CCPA is enforced by the Attorney General
- Private Right of Action: Consumers whose nonencrypted or nonredacted personal information, that is subject to unauthorized disclosure as a result of “business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information” can sue civilly.
- Damages: Limited to not less than $100, and not more than $750.
- Injunctive relief is also available.
- Mandatory Notice to Business:
- Prior to initiating action, consumer must provide the business 30 days’ written notice specifying which portions of the title that the business is alleged to have violated.
- If the business is able to cure within 30 days, no action for individual or statutory or class-wide damages may be initiated. “Curing” a data breach may be difficult.
- At this time, it is not clear how a business would cure unauthorized disclosure of personal information that has already occurred.
- No notice is needed to sue for actual pecuniary damages suffered due to alleged violations of the title.
There are other specific requirements for privacy policy disclosures, method of consumer request, and business response and other important compliance requirements that we will discuss in detail over the coming weeks. We will also be paying close attention to legislative sessions in other states for the introduction of similar legislation. Watch this space.